ConfigMap 与 Secret
概述
配置管理、敏感信息处理等技能。
ConfigMap
创建 ConfigMap
# 从字面值创建
kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2
# 从文件创建
kubectl create configmap my-config --from-file=config.properties
kubectl create configmap my-config --from-file=my-key=config.properties
# 从目录创建
kubectl create configmap my-config --from-file=config-dir/
# 从环境文件创建
kubectl create configmap my-config --from-env-file=env.properties
ConfigMap YAML
apiVersion: v1
kind: ConfigMap
metadata:
name: my-config
data:
# 简单键值对
database_url: "mysql://localhost:3306/mydb"
log_level: "info"
# 多行配置文件
nginx.conf: |
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
}
}
# JSON 配置
config.json: |
{
"debug": true,
"port": 8080
}
使用 ConfigMap
环境变量方式
spec:
containers:
- name: app
env:
# 单个键
- name: DATABASE_URL
valueFrom:
configMapKeyRef:
name: my-config
key: database_url
# 所有键
envFrom:
- configMapRef:
name: my-config
挂载为文件
spec:
containers:
- name: app
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: my-config
# 可选:指定特定键
items:
- key: nginx.conf
path: nginx.conf
挂载为单个文件(不覆盖目录)
spec:
containers:
- name: app
volumeMounts:
- name: config-volume
mountPath: /etc/app/config.json
subPath: config.json
volumes:
- name: config-volume
configMap:
name: my-config
Secret
创建 Secret
# 从字面值创建
kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=secret123
# 从文件创建
kubectl create secret generic my-secret --from-file=ssh-privatekey=~/.ssh/id_rsa
# TLS Secret
kubectl create secret tls tls-secret --cert=cert.pem --key=key.pem
# Docker Registry Secret
kubectl create secret docker-registry regcred \
--docker-server=registry.example.com \
--docker-username=user \
--docker-password=password \
--docker-email=user@example.com
Secret YAML
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
# Base64 编码
username: YWRtaW4=
password: c2VjcmV0MTIz
---
# 使用 stringData(自动编码)
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
stringData:
username: admin
password: secret123
Secret 类型
# Opaque(默认)
type: Opaque
# TLS
type: kubernetes.io/tls
data:
tls.crt: <base64>
tls.key: <base64>
# Docker Registry
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64>
# Basic Auth
type: kubernetes.io/basic-auth
data:
username: <base64>
password: <base64>
# SSH Auth
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: <base64>
使用 Secret
环境变量方式
spec:
containers:
- name: app
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
envFrom:
- secretRef:
name: my-secret
挂载为文件
spec:
containers:
- name: app
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: my-secret
defaultMode: 0400
镜像拉取凭证
spec:
imagePullSecrets:
- name: regcred
containers:
- name: app
image: registry.example.com/myapp:latest
操作命令
# 查看 ConfigMap
kubectl get configmap
kubectl describe configmap my-config
kubectl get configmap my-config -o yaml
# 查看 Secret
kubectl get secret
kubectl describe secret my-secret
kubectl get secret my-secret -o yaml
# 解码 Secret
kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 -d
# 编辑
kubectl edit configmap my-config
kubectl edit secret my-secret
# 删除
kubectl delete configmap my-config
kubectl delete secret my-secret
常见场景
场景 1:应用配置热更新
# 使用 ConfigMap 挂载(自动更新)
spec:
containers:
- name: app
volumeMounts:
- name: config
mountPath: /etc/config
volumes:
- name: config
configMap:
name: my-config
# 注意:subPath 挂载不会自动更新
场景 2:多环境配置
# 创建不同环境的 ConfigMap
kubectl create configmap app-config-dev --from-file=config-dev/
kubectl create configmap app-config-prod --from-file=config-prod/
# 在 Deployment 中引用
# 通过 Kustomize 或 Helm 管理不同环境
场景 3:外部 Secret 管理
# 使用 External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: my-external-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: SecretStore
target:
name: my-secret
data:
- secretKey: password
remoteRef:
key: prod/db/password
场景 4:配置文件模板
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
application.yaml: |
server:
port: ${SERVER_PORT:8080}
database:
url: ${DATABASE_URL}
username: ${DATABASE_USER}
最佳实践
# 1. 不要在 Git 中存储 Secret
# 使用 Sealed Secrets 或 External Secrets
# 2. 限制 Secret 访问权限
# 使用 RBAC 控制
# 3. 定期轮换 Secret
# 使用自动化工具
# 4. 使用 immutable ConfigMap/Secret(K8s 1.21+)
apiVersion: v1
kind: ConfigMap
metadata:
name: immutable-config
immutable: true
data:
key: value
故障排查
| 问题 | 排查方法 |
|---|---|
| 配置未更新 | 检查是否使用 subPath、重启 Pod |
| Secret 解码错误 | 检查 Base64 编码是否正确 |
| 权限问题 | 检查 defaultMode、RBAC |
| 挂载失败 | 检查 ConfigMap/Secret 是否存在 |
# 检查挂载
kubectl exec pod-name -- ls -la /etc/config
kubectl exec pod-name -- cat /etc/config/key
# 检查环境变量
kubectl exec pod-name -- env | grep KEY